We found a match
Your institution may have rights to this item. Sign in to continue.
- Title
ScriptBlock Smuggling: Uncovering Stealthy Evasion Techniques in PowerShell and.NET Environments.
- Authors
Rose, Anthony J.; Graham, Scott R.; Schubert Kabban, Christine M.; Krasnov, Jacob J.; Henry, Wayne C.
- Abstract
The Antimalware Scan Interface (AMSI) plays a crucial role in detecting malware within Windows operating systems. This paper presents ScriptBlock Smuggling, a novel evasion and log spoofing technique exploiting PowerShell and.NET environments to circumvent the AMSI. By focusing on the manipulation of ScriptBlocks within the Abstract Syntax Tree (AST), this method creates dual AST representations, one for compiler execution and another for antivirus and log analysis, enabling the evasion of AMSI detection and challenging traditional memory patching bypass methods. This research provides a detailed analysis of PowerShell's ScriptBlock creation and its inherent security features and pinpoints critical limitations in the AMSI's capabilities to scrutinize ScriptBlocks and the implications of log spoofing as part of this evasion method. The findings highlight potential avenues for attackers to exploit these vulnerabilities, suggesting the possibility of a new class of AMSI bypasses and their use for log spoofing. In response, this paper proposes a synchronization strategy for ASTs, intended to unify the compilation and malware scanning processes to reduce the threat surfaces in PowerShell and.NET environments.
- Subjects
ANTI-malware (Computer software); COMPUTER operating systems; ANTIVIRUS software; SYNCHRONIZATION; PHISHING
- Publication
Journal of Cybersecurity & Privacy, 2024, Vol 4, Issue 2, p153
- ISSN
2624-800X
- Publication type
Article
- DOI
10.3390/jcp4020008